ADVISORIES

• OSVDB-97854
• Vendor Advisory

GEM

fog-dragonfly

PATCHED VERSIONS

• >= 0.9.6

DESCRIPTION

Dragonfly Gem for Ruby contains a flaw that is due to the program failing to properly escape a shell that contains injected characters. This may allow a context-dependent attacker to potentially execute arbitrary commands.

This gem has been renamed. Please use "dragonfly" from now on.

RELATED

• https://github.com/markevans/dragonfly/blob/master/spec/dragonfly/shell_spec.rb#L26
• https://github.com/markevans/dragonfly/pull/506
• https://github.com/markevans/dragonfly/commit/f4f8e37a171a34f0ef3a6d80b52f44ed4d66d3bc
• https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20016
• http://osvdb.org/show/osvdb/97854